Reviewed: https://review.openstack.org/260277 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=291e71990a0866836d1becea6d519df9abaaa186 Submitter: Jenkins Branch: master
commit 291e71990a0866836d1becea6d519df9abaaa186 Author: Mark McLoughlin <[email protected]> Date: Mon Dec 21 23:54:17 2015 +0000 signature_utils: handle ECC curve unavailability Some ECC curves are unavailable on some platforms (like Fedora, RHEL, and CentOS) because of legal concerns. See the bug report for more details and history. The cryptography backend has a elliptic_curve_supported() method which we can use to avoid curves which are unavailable on the current platform. If an image signature uses one of these curves, we will return an "Invalid signature key type" error. Use the warnings module in the unit tests to avoid silently ignoring this issue during testing. This warning will be captured from the test's stderr and reported by testr. Closes-Bug: #1528393 Change-Id: Ie25311c48b276f300fadaf1815fc4df4cb89cf8d Signed-off-by: Mark McLoughlin <[email protected]> ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1528393 Title: signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC curves are available Status in OpenStack Compute (nova): Fix Released Bug description: Not all ECC curves we use in signature_utils are available on all platforms - e.g. On RHEL 7.2 $ openssl ecparam -list_curves secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field On Fedora 23 ... $ openssl ecparam -list_curves secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field There's a long history surrounding the lack of ECC support in openssl in Fedora, RHEL, and CentOS because of legal issues - see https://bugzilla.redhat.com/show_bug.cgi?id=319901 Some ECC curves are now available, but each additional one requested will be considered individually - there is a tracker bug for this: https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0 This is the failure I'm seeing since https://review.openstack.org/#/c/256069/ was merged nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC --------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched return func(*args, **keywargs) File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC default_backend()) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key return backend.generate_elliptic_curve_private_key(curve) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key _Reasons.UNSUPPORTED_ELLIPTIC_CURVE cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1528393/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
